SEO

Hello,
I'm trying to get ftp working for clients behind a pf firewall running
on 3.6. Both active and passive ftp connections work from the firewall
itself but neither work from any clients behind the firewall. I'm using a
default block all policy and from the tcpdumps i'm doing it looks like
source ports are being blocked when they go to the lan interface to be
transfered to the ftp-proxy. Here are my ftp rules:

EXT = "ep0"
LAN = "ed0"
LAN_CLIENTS = "192.168.0.0/24"
LAN_SERVER = "192.168.0.78"
set block-policy drop
scrub on $EXT reassemble tcp random-id
nat on $EXT from $LAN_CLIENTS to any -> ($EXT)
# redirect lan client active FTP requests (to an FTP server's control port
21)
# to the ftp-proxy running on the firewall host (via inetd on port 8021)
rdr on $LAN proto tcp from any to any port 21 -> 127.0.0.1 port 8021
# deny by default
block log all

# Allow remote FTP servers (on data port 20) to respond to the proxy's
# active FTP requests by contacting it on the port range specified in
inetd.conf
pass in on $EXT \
inet proto tcp \
from any port 20 \
to $EXT port 55000 >< 57000 \
user proxy \
flags S/SA keep state

# allow ftp active requests out
pass out on $EXT \
inet proto tcp \
from $EXT to any \
port 20 \
flags S/SA keep state

# allow firewall to contact ftp server on behalf of passive ftp client
# on control port 21
pass out on $EXT \
inet proto tcp \
from $EXT to any \
port 21 \
flags S/SA keep state

# allow firewall to contact ftp server on behalf of passive ftp client
# on standard unprivileged port range ( > 1024 )
pass out on $EXT \
inet proto tcp \
from $EXT to any \
port > 1024 \
flags S/SA keep state

My ftp-proxy line in inetd.conf uses the -u proxy, -n, -m 55550, -M 55600
and -t 180 options.
Help appreciated.
Thanks.
Dave.

On Sun, 05 Jun 2005 18:18:04 GMT, dave said something similar to:
: I'm trying to get ftp working for clients behind a pf firewall running
: on 3.6. Both active and passive ftp connections work from the firewall
: itself but neither work from any clients behind the firewall. I'm using a
: default block all policy and from the tcpdumps i'm doing it looks like
: source ports are being blocked when they go to the lan interface to be
: transfered to the ftp-proxy.

Of course the client to proxy traffic is being blocked. You're blocking by
default and haven't explicitly permitted it.

pass in on $LAN inet proto tcp from $LAN_CLIENTS to 127.0.0.1 port 8021 \
flags S/SA keep state

On Mon, 06 Jun 2005 15:35:51 -0500, Mike Delaney wrote:
> On Sun, 05 Jun 2005 18:18:04 GMT, dave said something similar to:
>: I'm trying to get ftp working for clients behind a pf firewall running
>: on 3.6. Both active and passive ftp connections work from the firewall
>: itself but neither work from any clients behind the firewall. I'm using a
>: default block all policy and from the tcpdumps i'm doing it looks like
>: source ports are being blocked when they go to the lan interface to be
>: transfered to the ftp-proxy.
>
> Of course the client to proxy traffic is being blocked. You're blocking by
> default and haven't explicitly permitted it.
>
> pass in on $LAN inet proto tcp from $LAN_CLIENTS to 127.0.0.1 port 8021 \
> flags S/SA keep state

Or just use the 'pass' modifier to rdr:

If the pass modifier is given, packets matching the translation
rule are passed without inspecting the filter rules:

rdr pass on $LAN proto tcp from any to any port 21 -> 127.0.0.1 port 8021

Hello,
Thank you for your suggestions. I've tried both of them and now at least
i can connect to ftp servers but when i issue the first command such as an
ls the remote system immediately terminates the connection. For my firewall
i'm following the setup tutorial at:
http://www.aei.ca/~pmatulis/pub/obsd_pf.html
for my reference without the dmz part. I'm then using ftp from the same
site, though not using the flags S/AUPRFS as i read it was a problem causer.
Thanks.
Dave.

Shane Almeida <almeida.spam.is.evil@spam.is.evil.mindless.com> writes:

> Or just use the 'pass' modifier to rdr:
>
> If the pass modifier is given, packets matching the translation
> rule are passed without inspecting the filter rules:
>
> rdr pass on $LAN proto tcp from any to any port 21 -> 127.0.0.1 port 8021

If the OP has the option, I would recommend using ftpsesame (or better
yet) pftpx. They're much simpler to deal with and get up and running.

Pftpx has recently been imported and will be the new ftp-proxy for
OpenBSD 3.8 and beyond. I have it working on a OpenBSD 3.6 box though
and it should also work for 3.7.

--
David Magda <dmagda at ee.ryerson.ca>
Because the innovator has for enemies all those who have done well under
the old conditions, and lukewarm defenders in those who may do well
under the new. -- Niccolo Machiavelli, _The Prince_, Chapter VI

Hello,
Unfortunately, i'm stuck using what i have. I've got the connection
going, but now when i issue a command ls for instance i get a 421 error, i
am seeing dropped packets even though i've told the firewall to allow
packets on the designated ftp proxy ports to pass.
Thanks.
Dave.

On Fri, 10 Jun 2005 12:25:26 GMT, dave wrote:
> Hello,
> Unfortunately, i'm stuck using what i have. I've got the connection
> going, but now when i issue a command ls for instance i get a 421 error, i
> am seeing dropped packets even though i've told the firewall to allow
> packets on the designated ftp proxy ports to pass.
> Thanks.
> Dave.

Post your complete ruleset again and the output from tcpdump on pflog0.
ftp-proxy should work fine; something is misconfigured.

Hello,
Thanks for everyone's help so far. I wish this would work, but i'm very
impressed and greatful for all the support. My rules are coming from an
OPenBSD tutorial site i found on:

http://www.aei.ca/~pmatulis/pub/obsd_pf.html
for packet filter and for ftp proxy:
http://www.aei.ca/~pmatulis/pub/obsd_ftp.html

I've changed flags from S/AUPRFS to just S/SA i was informed that the former
busted a lot of things, cddb and it didn't work anyway. In inetd.conf my
ftp-proxy line uses:
-n -u proxy -m 55560 -M 55660 -t 180

The firewall can reach both active and passive ftp servers, but any internal
lan clients can not. My ruleset is below. I don't know if this is related,
but mpd isn't working either, external connections can not contact the mpd
server.
Aside from these two items everything else is working, i haven't tackled
band width limiting, that's next.
Thanks.
Dave.

/etc/pf.conf
# pf.conf

# define the two interface macros
EXT = "xl0"
LAN = "xl1"

# define some address macros
LAN_FIREWALL = "192.168.1.1"
LAN_CLIENTS = "192.168.1.0/24"
LAN_ADMIN = "192.168.1.0/24"
LAN_SERVER = "192.168.1.3"

# define some non-routeable addresses used in spoof attacks originating from
the internet
PRIVATE_BLOCKS = "{
127.0.0.0/8
192.168.0.0/16
172.16.0.0/12
10.0.0.0/8
!10.40.224.1
}"

# define some service macros
LAN_TO_INT_SERVICES = "{ ftp-data, ftp, ssh, smtp, 43, domain, http, pop3,
nntp, imap, https, imaps, pop3s, 1790, 1791, 1792, 1793, 1794, 1795, 5190,
cvsup, 6667, 8000, 8080, 8505, 8880 }"
INT_TO_LAN_SERVICES = "{ ssh, smtp, www, pop3, https, pop3s, 1723, 8000 }"
LAN_TO_FW_SERVICES = "{ ssh }"
FW_to_LAN_services = "{ ssh }"

# options
# expire state connections early
set optimization aggressive
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
# This helps protect against my maximum states being reached
# when being port scanned.
set timeout tcp.closed 1

# normalize packets to prevent fragmentation attacks
scrub on $EXT reassemble tcp random-id

# translate lan client addresses to that of EXT
nat on $EXT from $LAN_CLIENTS to any -> ($EXT)

# redirections
rdr on $EXT proto tcp from any to $EXT port 22 -> $LAN_SERVER port 22
rdr on $EXT proto tcp from any to any port 25 -> $LAN_SERVER port 25
rdr on $EXT proto tcp from any to any port 80 -> $LAN_SERVER port 80
rdr on $EXT proto tcp from any to any port 110 -> $LAN_SERVER port 110
rdr on $EXT proto tcp from any to any port 443 -> $LAN_SERVER port 443
rdr on $EXT proto tcp from any to any port 995 -> $LAN_SERVER port 995
rdr on $EXT proto tcp from any to any port 1723 -> $LAN_SERVER port 1723
rdr on $EXT proto tcp from any to any port 8000 -> $LAN_SERVER port 8000
rdr on $EXT proto gre from any to any -> $LAN_SERVER
# spam redirections
rdr on $EXT inet proto tcp from any os "Windows" to any port 25 -> 127.0.0.1
port 8025
# redirect lan client active FTP requests (to an FTP server's control port
21)
# to the ftp-proxy running on the firewall host (via inetd on port 8021)
rdr pass on $LAN proto tcp from any to any port 21 -> 127.0.0.1 port 8021

# deny by default

# pass loopback traffic
pass quick on lo0 all

# block windows email relays
block in quick on $EXT inet proto tcp from any os "Windows" to any port 25

# immediately prevent IPv6 traffic from entering or leaving all interfaces
block quick inet6 all

# silently block and drop broadcast cable modem noise
block in quick on $EXT from any to 255.255.255.255

# allow lan broadcasts
pass quick on $LAN proto { tcp, udp } from $LAN_CLIENTS to $LAN:broadcast

# Block bad tcp flags from malicious people and nmap scansN
block in quick on $EXT proto tcp from any to any flags /S
block in quick on $EXT proto tcp from any to any flags /SFRA
block in quick on $EXT proto tcp from any to any flags /SFRAU
block in quick on $EXT proto tcp from any to any flags A/A
block in quick on $EXT proto tcp from any to any flags F/SFRA
block in quick on $EXT proto tcp from any to any flags U/SFRAU
block in quick on $EXT proto tcp from any to any flags SF/SF
block in quick on $EXT proto tcp from any to any flags SF/SFRA
block in quick on $EXT proto tcp from any to any flags SR/SR
block in quick on $EXT proto tcp from any to any flags FUP/FUP
block in quick on $EXT proto tcp from any to any flags FUP/SFRAUPEW
block in quick on $EXT proto tcp from any to any flags SFRAU/SFRAU
block in quick on $EXT proto tcp from any to any flags SFRAUP/SFRAUP
block in quick on $EXT proto tcp all flags FUP/FUP

# immediately prevent packets with invalid addresses from entering or
exiting EXT (anti-spoofing measure)
block drop in quick on $EXT inet from $PRIVATE_BLOCKS to any
block drop out quick on $EXT inet from any to $PRIVATE_BLOCKS

# prevent lan originated spoofing from occurring
antispoof for $EXT inet

# block everything from entering EXT
block in log on $EXT all

# preventing invalid internet UDP and TCP requests from timing out
block return in on $EXT proto { udp, tcp } all

# allow internet requests to enter EXT
# in order to contact our lan server (keep state on this connection
pass in on $EXT \
inet proto tcp \
from any to $LAN_SERVER \
port $INT_TO_LAN_SERVICES \
flags S/SA \
keep state

# Allow remote FTP servers (on data port 20) to respond to the proxy's
# active FTP requests by contacting it on the port range specified in
inetd.conf
pass in on $EXT \
inet proto tcp \
from any port 20 \
to $EXT \
user proxy \
flags S/SA keep state

# mpd
pass in on $EXT inet proto gre to $LAN_SERVER keep state
pass quick on ng0 all

# block everything from exiting EXT
block out log on $EXT all

# allow UDP requests to port 53 from firewall to exit EXT
# in order to contact internet nameservers (keep state on this connection)
pass out on $EXT \
inet proto udp \
from $EXT to any \
port 53 \
keep state

# Allow UDP requests to port 67/68 from firewall to exit EXT
# in order to contact internet dhcp servers
# allow UDP requests to port 123 from firewall to exit EXT
# in order to contact internet ntp servers
# (keep state on this connection)
pass out on $EXT \
inet proto udp \
from $EXT to any \
port { 67, 68, 123 } \
keep state

# allow lan traffic from internet clients to exit EXT
# (after natting is performed) in order to contact internet web servers
# (keep state on this connection)
pass out on $EXT \
inet proto tcp \
from $EXT to any \
port $LAN_TO_INT_SERVICES \
flags S/SA keep state

# allow ICMP requests from firewall to exit EXT (after natting is performed)
# in order to ping/traceroute internet hosts on the behalf of lan admin
pass out on $EXT \
inet proto icmp \
from $EXT to any \
icmp-type 8 \
keep state

# allow ftp active requests out
pass out log on $EXT \
inet proto tcp \
from $EXT to any \
port 20 \
flags S/SA keep state

# allow firewall to contact ftp server on behalf of passive ftp client
# on control port 21
pass out log on $EXT \
inet proto tcp \
from $EXT to any \
port 21 \
flags S/SA keep state

# allow firewall to contact ftp server on behalf of passive ftp client
# on standard unprivileged port range ( > 1024 )
pass out log on $EXT \
inet proto tcp \
from $EXT to any \
port 55600:55700 \
flags S/SA keep state

# block everything from entering LAN
block in log on $LAN all

# allow UDP requests to port 53 from lan clients to enter LAN
# in order to perform dns queries on the firewall (keep state on this
connection)
pass in on $LAN \
inet proto udp \
from $LAN_CLIENTS to $LAN_FIREWALL \
port 53 \
keep state

# allow UDP requests to ports 67, 68, and 123 from lan clients to enter lan
# in order to perform dhcp and ntp queries on the firewall (keep state on
this connection)
pass in on $LAN \
inet proto udp \
from $LAN_CLIENTS to $LAN_FIREWALL \
port { 67, 68, 123 } \
keep state

# allow lan traffic from lan clients to enter lan
# in order to contact internet web servers (keep state on this connection)
pass in on $LAN \
inet proto tcp \
from $LAN_CLIENTS to any \
port $LAN_TO_INT_SERVICES \
flags S/SA keep state

# lan admin connects to firewall via ssh for administrative purposes
pass in on $LAN \
inet proto tcp \
from $LAN_ADMIN to $LAN_FIREWALL \
port $LAN_TO_FW_SERVICES \
keep state

# allow requests from lan admin to enter LAN
# in order to ping/traceroute any system (firewall, dmz server, and internet
hosts)
pass in on $LAN \
inet proto icmp \
from $LAN_ADMIN to any \
icmp-type 8 \
keep state

pass in on $LAN proto tcp from $LAN:network to $LAN user proxy keep state
pass in on $LAN inet proto tcp from $LAN_CLIENTS to 127.0.0.1 port 8021
flags S/SA keep state
# allow firewall to contact ftp server on behalf of passive ftp client
# on standard unprivileged port range ( > 1024 )
pass in log on $LAN \
inet proto tcp \
from $LAN_CLIENTS to any \
port 55600:55700 \
flags S/SA keep state

# block everything from exiting LAN
block out log on $LAN all

# allow internet requests to exit lan
# in order to contact our web server (keep state on this connection)
pass out on $LAN \
inet proto tcp \
from any to $LAN_SERVER \
port $INT_TO_LAN_SERVICES \
keep state

# firewall connects to the lan server via scp/ssh for backup purposes
pass out on $LAN \
inet proto tcp \
from $LAN_FIREWALL to $LAN_SERVER \
port $FW_to_LAN_services \
keep state


tcpdump of ftp
#tcpdump -i pflog0 -ntqv
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture
size 96 bytes
IP (tos 0x0, ttl 64, id 17793, offset 0, flags [DF], length: 48)
65.31.41.46.55643 > 130.94.149.162.21: tcp 0
IP (tos 0x0, ttl 64, id 17811, offset 0, flags [DF], length: 48)
192.168.0.254.55610 > 192.168.0.2.2226: tcp 0
IP (tos 0x0, ttl 64, id 17825, offset 0, flags [DF], length: 48)
65.31.41.46.55634 > 129.128.5.191.21: tcp 0
IP (tos 0x0, ttl 64, id 17859, offset 0, flags [DF], length: 48)
192.168.0.254.55656 > 192.168.0.2.2229: tcp 0
^[[A    IP (tos 0x80, ttl 116, id 839, offset 0, flags [none],
length: 28) 65.31.95.144 > 65.31.41.46: icmp 8: echo request seq 42275
^C
5 packets captured
5 packets received by filter
0 packets dropped by kernel

On Sat, 11 Jun 2005 04:13:43 GMT, dave wrote:
> Hello,
> Thanks for everyone's help so far. I wish this would work, but i'm very
> impressed and greatful for all the support. My rules are coming from an
> OPenBSD tutorial site i found on:

You might want to try the official pf FAQ. I think the examples are a lot
easier to follow than that guide you are using.
http://www.openbsd.org/faq/pf/

[snip a lot of pf rules]

Try adding more "log" directives to your rules. Other than that, I can't
help much with your rules. I hate to say it, but I think maybe you should
start over unless someone else can spot the problem. The ruleset you are
using now is not really complex, but it's not trivial either. The order
of some of the rules seems odd to me as well (e.g. I don't like the block
rules mixed in with the pass rules). Maybe I'm just used to my style, but
I found it hard to follow your rules.

My suggestion is to make a really simple ruleset and, once that is
working, build up from there. Building from a very basic ruleset will
help you debug and will probably make maintenance a lot easier.

Try following the pf FAQ examples. The order of their rules seems much
more logical to me. I find it a whole lot easier to read their ruleset
than to try to figure out the one in the example you used. Here's the
basic idea:

1. Create a NAT rule for the internal clients.
2. Create redirection to ftp-proxy.
3. Block and log everything by default.
4. Pass everything on lo0 (there's a fancy way to do this in 3.7).
5. Silently block traffic that shouldn't exist. You can use the antispoof
rules and a table with RFC1918 addresses to do this easily.
6. Pass in traffic from the Internet to the services on the firewall and
keep state. At this point you can test connectivity from an external
host.
7. Pass in traffic from the LAN to the services on the firewall and keep
state. You can do the same testing from internal hosts now.
8. Pass appropriate traffic on the LAN. Now test intranet communication.
9. Pass out traffic from the firewall (and NAT'ed clients) to the
Internet. Test connections from the firewall and then from the NAT
clients. Test FTP from both.

Sorry I couldn't give you more help on your rules, but I just can't make
sense of them. Maybe I just need to look them over again in the morning.

On Sat, 11 Jun 2005 04:13:43 GMT, dave wrote:
> tcpdump of ftp
> #tcpdump -i pflog0 -ntqv

By the way, the -e flag to tcpdump is really useful for debugging pf
rules. It tells you the rule that matched for each packet you log. It's
a huge help when you're trying to figure out why something isn't working.
Try it with your rules and see if you find anything interesting.